Event data is saved in binary form in the folder C:\ProgramData\Kaspersky Lab\Endpoint Agent\protected\kata in open non-encrypted form.
By default, only users with System and Administrator permissions have read-access to files when Self-Defense is enabled. When Self-Defense is disabled, users with System and Administrator permissions can also delete the files, modify their contents, and modify the access rights to them. Kaspersky Endpoint Agent component does not manage access permissions to this folder and any files in it. It is the system administrator who determines access permissions.
Event data can contain information related to the following:
Data on executable modules.
Data on network connections.
About the operating system that is installed on the computer with Kaspersky Endpoint Agent.
Data on user sessions in the operating system.
Data on operating system user accounts.
Data on Windows event log.
About alerts of Kaspersky Endpoint Security for Windows.
About organizational units (OU) of Active Directory.
HTTP protocol headers.
Fully qualified domain name of the computer.
MD5- and SHA256 hash of files and their fragments.
Unique ID of the computer with Kaspersky Endpoint Agent.
Unique IDs of certificates.
Certificate publisher.
Certificate subject.
Name of the algorithm used to generate the certificate fingerprint.